SYSTEM_THREAD_INFORMATION

The SYSTEM_THREAD_INFORMATION structure is an irregularly
recurring element in what a successful call to ZwQuerySystemInformation or
NtQuerySystemInformation produces in its output buffer
when given the information class SystemProcessInformation
(0x05).

This information class produces descriptions not just of the running processes
but also of those processes’ threads. A quick summary is that the information for
each process is a fixed-size SYSTEM_PROCESS_INFORMATION
structure and the following variable-size data:

an array of SYSTEM_THREAD_INFORMATION structures,
one per thread;

and a null-terminated Unicode string for the process’s name.

The totality of the output for all processes is a sequence of these sets, one
per process. In each set, the NextEntryOffset member
at the beginning of the SYSTEM_PROCESS_INFORMATION tells
how many bytes to advance from that SYSTEM_PROCESS_INFORMATION
to the next, or is zero in the last. The NumberOfThreads
member in a SYSTEM_PROCESS_INFORMATION tells how many
SYSTEM_THREAD_INFORMATION structures are in the array
that immediately follows the SYSTEM_PROCESS_INFORMATION.

Documentation Status

The SYSTEM_THREAD_INFORMATION structure was for
many years undocumented. It is nowadays documented online as part of the Terminal
Services Terminal Server (MS-TSTS) Runtime Interface Protocol. It is not known when
Microsoft first published this documentation, which includes a complete C-language
definition. The copyright notice for the particular page is for 2016 but the MS-TSTS
documentation in general seems to have been published first in 2013.

Layout

The size of a SYSTEM_THREAD_INFORMATION is 0x40 or
0x50 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86)

Offset (x64)

Definition

0x00

0x00

LARGE_INTEGER KernelTime;

0x08

0x08

LARGE_INTEGER UserTime;

0x10

0x10

LARGE_INTEGER CreateTime;

0x18

0x18

ULONG WaitTime;

0x1C

0x20

PVOID StartAddress;

0x20

0x28

CLIENT_ID ClientId;

0x28

0x38

LONG Priority;

0x2C

0x3C

LONG BasePriority;

0x30

0x40

ULONG ContextSwitches;

0x34

0x44

ULONG ThreadState;

0x38

0x48

ULONG WaitReason;

This page was created on 9th July 2016 but was not published
until 26th October 2016. It was
last modified on 28th October 2016.